Software security testing may be used to identify vulnerabilities in an application, such as a web-based application. Traditional black-box security testing may use a security testing application that poses as an attacker. The security testing application may also monitor the instructions executed by the application in response to the attack. Analysis of these triggered instructions may facilitate detection of vulnerabilities that permit unscrupulous users to insert malicious code therein.